Conf icker / Downadup spreading vectors 




MS08-067 
Vulnerability in Server service 




USB-Flash drives 
Autorun & Autoplay 
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ADMIN$ shares 
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abc123 

academia 

access 

account 

Admin 

admin 

adminl 

admin12 

admin123 

adminadmin 

administrator 

anything 

asddsa 

asdfgh 



IP range : 91.199.104.0 - 91.199.104.255 
Network name : BITDEFENDER 

IP range : 1 92.88.209.0 - 1 92.88.209.255 
Network name : CERT-NET 

Abuse E-mail : cert@cert.org 



IP range 


: 207.242.88.0 - 207.242.88.255 


Infos 


: COMPUTER ASSOCIATES 


IP range 


: 72.32.7.88 - 72.32.7.95 


Infos 


: ESET LLC 


Infos 


1172 Orange Ave 


IP range 


: 204.118.23.96 - 204.118.23.12 - 


Infos 


FRISK Software International 


IP range 


: 65.200.212.0 - 65.200.212.255 


Infos 


F-Secure Inc. 


Infos 


100 Century Center Court 


Infos 


Suite 700 


Infos 


San Jose 


Infos 


CA 


Infos 


95112 
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Auto Play 



S&rd FE&dbick 
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Removable Disk (E:) 



] Always do thi: for :oftware and cjames: 
Install or run program 



k. 



Open folder to view files 
Published by Microsoft Windows 



General option: 
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Open folder to view files 
using Windows Explorer 

Use this drive for backup 
using Windows Backup 

Speed up my system 
using Windows ReadyBoost 



; DDDDDDDD^f >yE View more AutcPlay options in Control Panel 
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O Of http : //www . conficker workinggroup . org/wiki/ 
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Search 



Go 



Big View Text Size - | | + | 



* Home 

* Edit 

* History 

* Recent Changes 
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Network Detection 
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edit SideBar 




Home Page 



■£ January 2009 ■ July 2009 s- 

Calendar : 

o No entries for May 2009. 

o 01.04.2009 : Conficker. C is Live and well 

a 29.03.2009 : Conficker Working Group Web is Prepared 



<* Newest first <* Oldest first 
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On this page.. 

o Check to 

o Introdud 

■ Operatic 
o Payload 
o Sympton 

■ Impact 
o Respons 
o Patching 
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Thanks to Joe Stewart from 
SecureWorks for his awesome 
work. 

Check for Infection 
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Working Group 
Members 

Afilias 

AOL 

Arbor 

Cisco 

ESET 



F-Secure 

Facebook 

Global Domains 

International 

ICANN 

Internet Storm 

Center 

Internet Systems 

Consortium 

Juniper 

Kaspersky 

McAfee 

Microsoft 

Neustar 

NIC Chile 

SecureWorks 

Shadowserver 

SRI International 

Support 

Intelligence 

Symantec 

Team Cymru 

Trend Micro 

Verisign 






Calendar/Blog 

February 2009 
29 ■ March 2009 
01 ■ April 2009 
May 2009 
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The bad boys keep watching us 



Conficker.C blocked access to domains containing "f-secure" 
So we created fsecure.com in addition off-secure.com 
Conficker.E blocks both f-secure and fsecure 
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<- C *& http://feecure.corn/en_EMEA/ 
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Home 



Products eStore Partners Support Downloads Security About Us 



Real time protection, so you can enjoy 

your connected life to the full. 




Reliable Data Security 



BE SURE. 



F-Secure has a long track record of innoval 
and of protecting tens of millions of 
consumers and businesses around the wi 
Read more 




Conf Lcker Work Lng Group & Shsdouser-uer 



